Strategic GRC Transformation

The Situation and Challenges

A well-established global insurance and investment management group has an entrepreneurial and democratic culture which allowed group-wide operational risk standards to be implemented in various flavours as each business was empowered to interpret and apply them differently. Over-time the implementation of the multiple flavours of the risk standard led to various challenges which included a proliferation of technology, processes and reporting as:

• the firm had multiple risk governance and compliance technology including various products, inhouse software, and spreadsheets. 

• the firm had multiple disparate manual processes; some processes were always expected to be manual, and some processes had become manual as the technology was no longer usable in some areas. Some technology product capabilities had been heavily customised and had over time become redundant as they could not meet the needs of the business or had become unmaintainable. 

• the firm had different reporting styles, content, and frequencies within the differing business units. At a group level there were also differing styles and frequencies of reporting for the various group meetings. Additionally, reporting required significant manual intervention and there were credibility issues with content due to the data quality. 

  
  

Additionally, there was a weak risk and control culture the firm’s businesses used differing risk and control terms which compromised the credibility of the risk and control regime. This lack of credibility reduced the cultural importance and recognition of risk and control within the firm.  The lack of credibility and recognition served to undermine the relationship between the 1LOD and the 2LOD.

The firm was in a position where there was audit and regulatory pressure to address the challenges; corporate restructuring was the opportunity to force change.

What XCF Consulting Did

The firm recognised the need to undertake a group wide transformation and engaged resources from XCF Consulting (XCF)  to work on the transformation programme. The resources were involved in (i)the initial business case creation, (ii)programme direction and execution, (iii)subject matter expertise and consultancy, (iv)process analysis and design, (v) reporting approach and definition and (vi) training and education. The resources managed and guided the firm through five key elements:

• Establishing Buy-In – as part of the business case creation and during transformation execution there were open discussions with board members, audit committees and members of the 1^st and 2^nd line to communicate the ethos and nature of the transformation. The firm undertook an RFP and chose a leading eGRC technology product. The situation was not a technology problem however there was recognition that by using the technology as a product the firm had the opportunity to bring its GRC practises and processes swiftly in line with peers.  

  
  

• Establishing a Delivery Partnership and Communication Framework – the transformation executed as a series of focused delivery streams with workshops and management meetings for each. There was also a Steering Committee, Operating Committee and a Risk and Control Forum, plus supplementary general communication. The intent was to maximise the engagement with the business units in partnership with 2LOD colleagues, so the business units did not feel “done to”.  The 2LOD worked through enhancing various standards documents in conjunction with the 1LOD to ensure clarity, lack of ambiguity and to foster partnership.

  
  

• Demonstrating the Art of the Possible - the use of a credible eGRC technology product helped the various business units work together and compromise to establish unbiased group-wide processes. Following the mantra of using the product “Out of the Box”, participants were guided to focus on outcomes not on pre-conceptions of what is required. The focus on outcome was unifying as it started to foster the common understanding and terminology.  The transformation introduced well structure taxonomies and data libraries and heightened the awareness of the general importance of data.

  
  

• Onboard Not Roll-out – initial implementation was made to the least challenging business areas to make quick wins and demonstrate the credibility of the solution and approach; business units were onboarded when they were ready. It was observed that business areas started to enquire why they had not been onboarded sooner as the implementation progressed, the successes started to further challenge and highlight the efficacy of the business units that had not migrated. 

  
  

• Embedding and Reporting – it was recognised that the problem being solved was not a technology problem and the key to success would be the embedding and adoption. Much time was spent as part of the transformation creating training and reference materials and a digital adoption platform was implemented in parallel with the eGRC system to provide a legacy of training, information, and guidance. To verify the embedding an Integrated Control Framework Report was designed that pulled together elements across the platform; this report was for use in the Audit Committee, Executive Committee and various boards and management meetings.  The report encouraged the use of the system by each business area and encouraged the appropriate focus on getting the data within the system correct in a timely manner.

  
  

Value Delivered 

XCF worked with the firm to deliver a significant upgrade in the firms’ risk and control processes and culture. The benefits delivered include but are not limited to the following: 

• Direct cost reductions and process efficiencies/simplification  such as:

  • the decommissioning of various systems and infrastructure.

  • operational resource efficiencies within 1LOD and 2LOD, illustrated by (but not limited to) the creation of one single group wide Notifiable Event (Risk Event) process that brought together multiple (more than 30) risk event and breach (regulation, investment, service and policy) business processes.

  • simplification of Issue/Finding and Action Management across 2LOD and 3LOD into a unified approach.

  • the transformation delivered the mechanism to establish improvements in other areas such as data governance and data strategy.

    
    

• Risk and Control cultural improvements such as:

  • improved relationship between 1LOD and 2LOD, illustrated by (but not limited to) the creation of a Risk and Control Forum.

  • the recognition of the importance of risk and control activities illustrated by (but not limited to) the 100% completion of RCSAs on time from a previous 5% timely completion rate.

    
    

• Risk and Control Reporting improvements such as:

  • the creation and adoption of a consistent Integrated Control Framework report that was adopted at a group, business unit and legal entity level.

  • recognition from the executive committee of the improved quality of the Reporting and the support required to complete the journey off fully embedding and enhancing the practises into the firm’s DNA.

  • the introduction of a monthly reporting cycle that created the consistent set of data to be used by all governance forums.

  • 
    

The transformation was highlighted for special praise in the regulators PSM Letter (Periodic Summary Meeting) contributing to the regulatory approval for the re-structuring.

It is recognised that the completion of the transformation is not the end, the delivered platform and practises will be enriched and evolved over the coming years continuing to add value. The adoption of the technology product in a near to vanilla format means the firm will readily benefit from improvements to product. The product improvements will provide ready access to improvements in risk and control best practice and technology going forward.